Wednesday, 22 April 2009

Tripwire installation and configuration for CENTOS 5.3

Warning: There is one thing that have to be taken into consideration. Instead you can be disappointed with result.


At last I passed all necessary steps for tripwire configuration on CENTOS 5.3 server. There were some differences comparing with Ubuntu. Below are step by step how I performed it:

Download Tripwire package

Unfortunately there is no version for CENTOS and I have to download FEDORA version:

wget http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/tripwire-2.4.1.1-1.fc5.i386.rpm

Install rpm

  • rpm -ivh tripwire-2.4.1.1-1.fc5.i386.rpm

Modify (first attempts) /etc/tripwire/twpol.txt

  • I just added admin e-mail to each section as in example below:

was

(
rulename = "System boot changes",
severity = $(SIG_HI)
)

replaced with
(
rulename = "System boot changes",
severity = $(SIG_HI),
emailto = admin@domain.com

)

Key generation

cd /etc/tripwire/
  • First, generate the site key:

twadmin --generate-keys --site-keyfile site.key

  • Second, generate the local key:

twadmin --generate-keys --local-keyfile HOSTNAME-local.key
where hostname is answer from hostname command

cat /etc/tripwire/twcfg.txt


there should be the following lines:
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key

Encrypt configuration file

twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt

Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

Make binary version of policy file

twadmin --create-polfile --cfgfile tw.cfg --polfile tw.pol --site-keyfile site.key twpol.txt

Please enter your site passphrase:

Wrote policy file: /etc/tripwire/tw.pol

Make initial database

tripwire --init --cfgfile tw.cfg --polfile tw.pol --site-keyfile site.key --local-keyfile server.example.com-local.key, where server.example.com hostname of my server or

tripwire -m i


Please enter your local passphrase:

Parsing policy file: /etc/tripwire/tw.pol

Generating the database...

*** Processing Unix File System ***

### Warning: File system error.

### Filename: /dev/kmem

### No such file or directory

### Continuing...

I have seen a lot of errors and have to fix it just removing from configuration file, rebuild in and make initial database again and again.

NOTE: I have to carefully check tripwire policy file syntax to avoid misconfiguration. Example:

I put

/etc -> $(SEC_INVARIANT) (recurse = 0) ;

And later I can easily change most of configuration files (except which exactly defined in policy) without ability tripwire check to inform administrators about changes.

To be informed later of all changes I have to modify the line above to:

/etc -> $(SEC_CRIT) (recurse = -1); #recurse = -1 require subfolder check

#recurse = 0 disallow recursion

Good resource for tripwire policy I have found in the link in previous post.

Update policy

Update Policies

Immediately after any system change, be it due to installation, update or removal of software or configuration files, it is mandatory to update the plain-text policy file and regenerate the binary database. Any successive Tripwire check would be meaningless otherwise. Therefore, run this command whenever it's necessary:

tripwire -update-policy -twrfile a_previous_integrity_report.twr

Because it is so critical, this operation requires both your local and site passphrases. When launched in this way, Tripwire detects as violations any changes that happened after the specified integrity check. In such a case, an actual update of the policy, ignoring such violations, is possible only if the user explicitly tells the program to run in low security mode. The corresponding option is -Z low and is explained in detail in the Tripwire man page.

Still have to check what are differences with initialize database and update it. At present moment I prefer to init. When I tried to update, next tripwire -m c reports differences as before.


To get result of nightly check by e-mail I have to modify /etc/cron.daily/tripwire-check:

change

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check

to

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check -M


What I have at last

cat twpol.txt

# Global Variable Definitions

@@section GLOBAL

TWROOT=/usr/sbin;

TWBIN=/usr/sbin;

TWPOL="/etc/tripwire";

TWDB="/var/lib/tripwire";

TWSKEY="/etc/tripwire";

TWLKEY="/etc/tripwire";

TWREPORT="/var/lib/tripwire/report";

HOSTNAME=testhost.example.com;

@@section FS

SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set

SEC_BIN = $(ReadOnly) ; # Binaries that should not change

SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often

SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership

SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership

SIG_LOW = 33 ; # Non-critical files that are of minimal security impact

SIG_MED = 66 ; # Non-critical files that are of significant security impact

SIG_HI = 100 ; # Critical files that are significant points of vulnerability

# Tripwire Binaries

(

rulename = "Tripwire Binaries",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

$(TWBIN)/siggen -> $(SEC_BIN) ;

$(TWBIN)/tripwire -> $(SEC_BIN) ;

$(TWBIN)/twadmin -> $(SEC_BIN) ;

$(TWBIN)/twprint -> $(SEC_BIN) ;

}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases

(

rulename = "Tripwire Data Files",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

# NOTE: We remove the inode attribute because when Tripwire creates a backup,

# it does so by renaming the old file and creating a new one (which will

# have a new inode number). Inode is left turned on for keys, which shouldn't

# ever change.

# NOTE: The first integrity check triggers this rule and each integrity check

# afterward triggers this rule until a database update is run, since the

# database file does not exist before that point.

$(TWDB) -> $(SEC_CONFIG) -i ;

$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;

$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;

$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;

$(TWSKEY)/site.key -> $(SEC_BIN) ;


#don't scan the individual reports

$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;

}

# Commonly accessed directories that should remain static with regards

# to owner and group.

(

rulename = "Invariant Directories",

severity = $(SIG_MED),

emailto = logs@example.com

)

{

/ -> $(SEC_INVARIANT) (recurse = 0) ;

/home -> $(SEC_INVARIANT) (recurse = 0) ;

/etc -> $(SEC_INVARIANT) (recurse = 0) ;

}

#

# Critical executables

#

(

rulename = "Root file-system executables",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

/bin -> $(SEC_BIN) ;

/sbin -> $(SEC_BIN) ;

}

# Temporary directories.

(

rulename = "Temporary directories",

recurse = false,

severity = $(SIG_LOW)

)

{

/usr/tmp -> $(SEC_INVARIANT) ;

/var/tmp -> $(SEC_INVARIANT) ;

/tmp -> $(SEC_INVARIANT) ;

}

# Local files.

(

rulename = "User binaries",

severity = $(SIG_MED),

emailto = logs@example.com

)

{

/usr/bin -> $(SEC_BIN) ;

/usr/sbin -> $(SEC_BIN) ;

/usr/local/bin -> $(SEC_BIN) ;

}

(

rulename = "Shell Binaries",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

/bin/bash -> $(SEC_BIN) ;

/bin/ksh -> $(SEC_BIN) ;

/bin/sh -> $(SEC_BIN) ;

/bin/tcsh -> $(SEC_BIN) ;

/sbin/nologin -> $(SEC_BIN) ;

}

(

rulename = "Security Control",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

/etc/group -> $(SEC_CRIT) ;

/etc/security -> $(SEC_CRIT) ;

}

(

rulename = "Boot Scripts",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

/etc/rc -> $(SEC_CONFIG) ;

}

(

rulename = "Login Scripts",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

/etc/bashrc -> $(SEC_CONFIG) ;

/etc/csh.cshrc -> $(SEC_CONFIG) ;

/etc/csh.login -> $(SEC_CONFIG) ;

/etc/inputrc -> $(SEC_CONFIG) ;

/etc/profile -> $(SEC_CONFIG) ;

}

# Libraries

(

rulename = "Libraries",

severity = $(SIG_MED),

emailto = logs@example.com

)

{

/usr/lib -> $(SEC_BIN) ;

/usr/local/lib -> $(SEC_BIN) ;

}

# These files change every time the system boots.

(

rulename = "System boot changes",

severity = $(SIG_HI),

emailto = logs@example.com

)


{

!/var/run/ftp.pids-all ; # Comes and goes on reboot.

!/root/.enlightenment ;

/dev/log -> $(SEC_CONFIG) ;

/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.

/dev/tty1 -> $(SEC_CONFIG) ; # tty devices

/dev/tty2 -> $(SEC_CONFIG) ; # tty devices

/dev/tty3 -> $(SEC_CONFIG) ; # are extremely

/dev/tty4 -> $(SEC_CONFIG) ; # variable

/dev/tty5 -> $(SEC_CONFIG) ;

/dev/tty6 -> $(SEC_CONFIG) ;

/dev/urandom -> $(SEC_CONFIG) ;

/dev/initctl -> $(SEC_CONFIG) ;

/var/lock/subsys -> $(SEC_CONFIG) ;

/var/lock/subsys/crond -> $(SEC_CONFIG) ;

/var/lock/subsys/httpd -> $(SEC_CONFIG) ;

/var/lock/subsys/iptables -> $(SEC_CONFIG) ;

/var/lock/subsys/network -> $(SEC_CONFIG) ;

/var/lock/subsys/portmap -> $(SEC_CONFIG) ;

/var/lock/subsys/sshd -> $(SEC_CONFIG) ;

/var/lock/subsys/syslog -> $(SEC_CONFIG) ;

/var/lock/subsys/xfs -> $(SEC_CONFIG) ;

/var/run -> $(SEC_CONFIG) ;

/var/log -> $(SEC_CONFIG) ;

/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes

/etc/issue -> $(SEC_CONFIG) ;

/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount

/lib/modules -> $(SEC_CONFIG) ;

/etc/.pwd.lock -> $(SEC_CONFIG) ;

}

# These files change the behavior of the root account

(

rulename = "Root config files",

severity = 100

)

{

/root -> $(SEC_CRIT) ; # Catch all additions to /root

/root/.bashrc -> $(SEC_CONFIG) ;

/root/.bash_profile -> $(SEC_CONFIG) ;

/root/.bash_logout -> $(SEC_CONFIG) ;

/root/.cshrc -> $(SEC_CONFIG) ;

/root/.tcshrc -> $(SEC_CONFIG) ;

/root/.bash_history -> $(SEC_CONFIG) ;

/root/.gnome -> $(SEC_CONFIG) ;

/root/.ICEauthority -> $(SEC_CONFIG) ;

/root/.mc -> $(SEC_CONFIG) ;

}

# Critical configuration files.

(

rulename = "Critical configuration files",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

/etc/crontab -> $(SEC_BIN) ;

/etc/cron.hourly -> $(SEC_BIN) ;

/etc/cron.daily -> $(SEC_BIN) ;

/etc/cron.weekly -> $(SEC_BIN) ;

/etc/cron.monthly -> $(SEC_BIN) ;

/etc/default -> $(SEC_BIN) ;

/etc/fstab -> $(SEC_BIN) ;

/etc/exports -> $(SEC_BIN) ;

/etc/group- -> $(SEC_BIN) ; # changes should be infrequent

/etc/host.conf -> $(SEC_BIN) ;

/etc/hosts.allow -> $(SEC_BIN) ;

/etc/hosts.deny -> $(SEC_BIN) ;

/etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent

/etc/protocols -> $(SEC_BIN) ;

/etc/services -> $(SEC_BIN) ;

/etc/rc.d/init.d -> $(SEC_BIN) ;

/etc/rc.d -> $(SEC_BIN) ;

/etc/mail.rc -> $(SEC_BIN) ;

/etc/motd -> $(SEC_BIN) ;

/etc/passwd -> $(SEC_CONFIG) ;

/etc/passwd- -> $(SEC_CONFIG) ;

/etc/profile.d -> $(SEC_BIN) ;

/var/lib/nfs/rmtab -> $(SEC_BIN) ;

/etc/rpc -> $(SEC_BIN) ;

/etc/sysconfig -> $(SEC_BIN) ;

/etc/samba/smb.conf -> $(SEC_CONFIG) ;

/etc/nsswitch.conf -> $(SEC_BIN) ;

/etc/yp.conf -> $(SEC_BIN) ;

/etc/hosts -> $(SEC_CONFIG) ;

/etc/inittab -> $(SEC_CONFIG) ;

/etc/resolv.conf -> $(SEC_CONFIG) ;

/etc/syslog.conf -> $(SEC_CONFIG) ;

}

# Critical devices.

(

rulename = "Critical devices",

severity = $(SIG_HI),

emailto = logs@example.com,

recurse = false

)

{

/dev/mem -> $(Device) ;

/dev/null -> $(Device) ;

/dev/zero -> $(Device) ;

/proc/devices -> $(Device) ;

/proc/net -> $(Device) ;

/proc/sys -> $(Device) ;

/proc/cpuinfo -> $(Device) ;

/proc/modules -> $(Device) ;

/proc/mounts -> $(Device) ;

/proc/dma -> $(Device) ;

/proc/filesystems -> $(Device) ;

/proc/interrupts -> $(Device) ;

/proc/driver/rtc -> $(Device) ;

/proc/ioports -> $(Device) ;

/proc/scsi -> $(Device) ;

/proc/kcore -> $(Device) ;

/proc/self -> $(Device) ;

/proc/kmsg -> $(Device) ;

/proc/stat -> $(Device) ;

/proc/loadavg -> $(Device) ;

/proc/uptime -> $(Device) ;

/proc/locks -> $(Device) ;

/proc/version -> $(Device) ;

/proc/mdstat -> $(Device) ;

/proc/meminfo -> $(Device) ;

/proc/cmdline -> $(Device) ;

/proc/misc -> $(Device) ;

}

# Rest of critical system binaries

(

rulename = "OS executables and libraries",

severity = $(SIG_HI),

emailto = logs@example.com

)

{

# /bin -> $(SEC_BIN) ;

/lib -> $(SEC_BIN) ;

}

No comments: